Some web servers require a user of a client device to successfully authenticate before granting access to the user. For example, the user may be required to supply a one-time use passcode (OTP) from a hardware token that the user possesses in order to demonstrate that the user is legitimate (i.e., to show that the user is not an imposter due to possession of the hardware token). As another example, certain adaptive authentication factors about the user may be collected and assessed against previous behavior such as geo-location of the client device (or of the client device's ISP/network), time of day of the access attempt, and access frequency, to determine whether the user is legitimate. As yet another example, the user may be required to answer a knowledge-based authentication (KBA) question (i.e., correctly respond to a question that the real user should be able to answer).
During such authentication, an authentication server typically compares the current information obtained from the user's client device to expected information. If the information appropriately matches, authentication is successful. If the information does not appropriately match, authentication is considered unsuccessful.
When authentication is successful, the user is granted access on the web server. When authentication is unsuccessful, the user may be immediately provided with another opportunity to authenticate and, if authentication is still unsuccessful, the user is denied access on the web server.